X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=blobdiff_plain;f=sshccp.c;h=0b3dc5737c1babe3e4640a42329ef03e8939b356;hb=5471539a6738484b48fb938c88dce547a3e4b299;hp=35aa43fba06158c610d89c58800dc87fba4eee87;hpb=f8b27925eee6a37df107a7cd2e718e997a52516e;p=PuTTY.git

diff --git a/sshccp.c b/sshccp.c
index 35aa43fb..0b3dc573 100644
--- a/sshccp.c
+++ b/sshccp.c
@@ -1238,7 +1238,7 @@ static const struct ssh_mac ssh2_poly1305 = {
     poly_start, poly_bytes, poly_genresult, poly_verresult,
 
     "", "", /* Not selectable individually, just part of ChaCha20-Poly1305 */
-    16, "Poly1305"
+    16, 0, "Poly1305"
 };
 
 static void *ccp_make_context(void)
@@ -1290,7 +1290,11 @@ static void ccp_length_op(struct ccp_context *ctx, unsigned char *blk, int len,
                           unsigned long seq)
 {
     unsigned char iv[8];
-    PUT_32BIT_LSB_FIRST(iv, seq >> 32);
+    /*
+     * According to RFC 4253 (section 6.4), the packet sequence number wraps
+     * at 2^32, so its 32 high-order bits will always be zero.
+     */
+    PUT_32BIT_LSB_FIRST(iv, 0);
     PUT_32BIT_LSB_FIRST(iv + 4, seq);
     chacha20_iv(&ctx->a_cipher, iv);
     chacha20_iv(&ctx->b_cipher, iv);
@@ -1327,7 +1331,7 @@ static const struct ssh2_cipher ssh2_chacha20_poly1305 = {
     ccp_decrypt_length,
 
     "chacha20-poly1305@openssh.com",
-    1, 512, SSH_CIPHER_SEPARATE_LENGTH, "ChaCha20",
+    1, 512, 64, SSH_CIPHER_SEPARATE_LENGTH, "ChaCha20",
 
     &ssh2_poly1305
 };